The St. Paul school district recently notified more than 43,000 families about a “data security incident” in February.
Student names and email addresses were the only information in the “unauthorized access,” according to St. Paul Public Schools.
“SPPS has no evidence that any personal email addresses, physical addresses, or sensitive information were impacted,” said district spokesperson Erica Wacker. “We also have no reason to believe that any data from SPPS has been misused as a result of this incident. This incident did not involve ransomware.”
In a separate incident, there was a ransomware attack in February on Minneapolis Public Schools that was “orders of magnitude more serious,” said Doug Levin, national director of the nonprofit K12 Security Information eXchange (K12 SIX). But the St. Paul incident is still a reminder to be cautious, he said.
“When cybercriminals obtain personal information, they will try to conduct identity theft, and that’s led to credit fraud and tax fraud,” said Levin of what’s happened in other cases. “We also have seen victims of data breaches … being more likely to receive malicious emails, social engineering emails, phishing emails.”
Expert: School districts should provide timely notifications
St. Paul Public Schools “became aware of suspicious activity in its network environment” in February and immediately worked with the FBI, Minnesota IT Services and the Minnesota Department of Public Safety to investigate, according to a letter sent to families this month.
The school district in February notified “those who were impacted at that time,” Wacker said. “It was not until July 17 that the district could confirm the full scope of the incident.”
Then, SPPS “identified all individuals whose data may have been compromised and secured mailing addresses for the impacted persons, which was completed on Aug. 15,” according to the district’s letter. The letters started arriving in the mail to families last Friday, Wacker said.
The amount of time that passed from the incident to notifying families is “absolutely problematic,” Levin said Friday.
He said investigations take time, “but we are big believers in disclosure and keeping school communities in the loop along the way.” That’s important so people “can take measures to protect themselves” because “immediately after information is made available to cyber criminals, they will try to abuse it,” according to Levin.
Wacker said the school district “has worked diligently to gather as much information as possible about what happened. SPPS felt it necessary to understand the situation as thoroughly and accurately as possible in order to determine the best course of action before providing notifications.”
Investigation ongoing
A suspect has been identified and an investigation is ongoing, the school district wrote in its letter. What happened was hacking, but not of a sophisticated nature, Levin said.
“SPPS has also taken steps to prevent a similar event from occurring in the future,” the letter from the district continued. At the beginning of the school year, each student received a new, unique password.
There were 43,727 student email addresses impacted, which includes all students enrolled in SPPS in the 2022-23 school year and students at private and charter schools where the public school district provides services and thus email addresses, according to Wacker.
Meanwhile, the Minneapolis school district sent formal written notices to about 105,617 people earlier this month after a cybersecurity attack in February. In that case, after the district would not pay a $1 million ransom, information stolen from the district was posted online, including about student sexual assaults, psychiatric hospitalizations, abusive parents, truancy and suicide attempts.
Minneapolis Public Schools notified “a limited number of known impacted individuals” in April and an investigation continued “to determine the full scope of the impacted population,” according to a report that the district posted online this month.
What parents can do
Cyber incidents on school districts are “probably much more common than people understand,” Levin said. “On average, we are seeing a school district a day being compromised across the country,” ranging from large to small and rural to urban, he said.
Levin recommends that parents ensure their students are keeping school email addresses and passwords separate from personal accounts. He suggests parents, regardless of whether their school district had a data breach, freeze their juvenile children’s credit records; he said it’s a relatively simple process they can do with each of the three credit reporting agencies and it keeps cybercriminals from using their children’s identities.
And Levin says parents should be asking questions of principals, school boards and superintendents about what they’re doing to keep student information safe and secure.
On Tuesday, Minnesota IT Services with the Minnesota Cybersecurity Task Force launched the 2023 Whole-of-State Cybersecurity Plan with the aim of strengthening local government cyber defenses. It will be used to distribute $23.5 million in funding.
“We are living in a time when it’s easier to access information than ever before,” said Tarek Tomes, MNIT commissioner, in a statement. “This plan continues our efforts to collaborate with governments and schools responsible for keeping Minnesotans’ information secure.”